Strategies Shifting for DDoS DNS Amplification Attacks
At the Black Hat 2016 conference a few weeks ago, presenters shared new research which indicates that DDoS DNS amplification attacks are now more likely to use SSDP than NTP, and that distributed denial of service (DDoS) attacks may generally be smaller than are commonly reported. The research was done by representatives from the U.S. Federal Bureau of Investigation (FBI) and Malware Patrol, a malware and ransomware threat data provider. According to TechTarget, the researchers found that:
“…port 123, the well-known port used by Network Time Protocol (NTP) servers, is no longer the most abused UDP port for DDoS DNS amplification attacks.”
The researchers also observed that large saturation attacks are less common than people think – Corero research has shown similar trends, among our customers, with the vast majority of DDoS attacks now less than 1Gbps in size and lasting less than ten minutes.
Reasons for the Shift
There are some good reasons for these trends, specifically related to vulnerability awareness and attack sophistication:
- Large enough volumetric attacks are harder to launch, as bandwidth becomes more affordable and increased awareness means some of the larger DDoS reflectors that were traditionally exploited are being locked down. For example, earlier this year, the NTP organization released a number patches, including fixes for DoS exploits. As these fixes make their way onto public NTP servers, attackers have to look elsewhere.
One area attackers are turning their attention to is the Simple Service Discovery Protocol (SSDP), on port 1900, because of the widespread availability of devices which can be exploited—predominantly due to its open use for UPnP in residential routers and other networked consumer devices. However, with a significantly smaller thirty-one-to-one amplification factor, attackers have to work much harder to launch very large volumetric attacks leveraging SSDP.
- At the same time attacks have become more sophisticated across the board, and attackers don’t always need—or indeed want—to launch huge, saturating attacks. Attacks now tend to be smaller and more “surgical.” Such small, sub-saturating, DDoS attacks are dangerous because they can also be used to create a distraction, by taking out a target website/application/server, sneaking under the radar of legacy DDoS protection solutions, while sustaining the Internet connection of the target so the attacker can do other, more significant, damage. If a DDoS attack is not seen, then it can’t be mitigated, but the result can be just as damaging.
Even if a traditional DDoS scrubbing center solution is being used for protection, the ten minutes (or more) it typically takes for mitigation to commence means that the damage has already been done; hackers need only a few seconds or minutes to perform their nefarious activities.
The joint presentation from the FBI and Malware Patrol validates the need for real-time DDoS Defense Solutions that detect and block even the smallest, low-threshold attacks, whether they are launched with an NTP, SSDP, or any other vector.
If you’d like to learn more, contact us.
Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.